Last Week in Security (LWiS) - 2024-01-23

Microsoft hacked, GraphStrike (@Octoberfest73), GPO based LPEs (@decoder_it), AwaitFuscator (@washi_dev), ProxyHelper2 (@hoodoer), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-15 to 2024-01-23.


Techniques and Write-ups

Tools and Exploits

  • Cobalt-Strike-Profiles-for-EDR-Evasion - Some ideas to modify CS profiles to bypass simple EDR checks. However, if you want to use SourcePoint I'm not sure I would trust the copy in this random repository...
  • GraphStrike - Cobalt Strike HTTPS beaconing over Microsoft Graph API implemented as a user defined reflective loader (URDL). Appreciate the Why? section on this one. Better hope those Blue team network sensors have really good anomaly detection, because this will use legitimate microsoft domains for C2. However, now you have Microsoft's threat team to deal with, and there has been some discussion that they will ban accounts that conduct C2 over their API if they detect it.
  • hi_my_name_is_keyboard. Zero click Bluetooth exploits for Android prior to the 2023-12-05 security patch (and Android <= 10 forever). Nice close access method to get payloads on an Android phone (assuming the target won't notice their screen acting up on its own). It also works against macOS and iOS (iOS < 17.2, Magic Keyboard Firmware < 2.0.6) if you can trigger it exactly when the computer/phone attempts to connect with an Apple Magic keyboard via Bluetooth.
  • slippy-book-exploit - CVE-2023-44451, CVE-2023-52076: RCE Vulnerability affected popular Linux Distros including Mint, Kali, Parrot, Manjaro etc. EPUB File Parsing Directory Traversal Remote Code Execution.
  • atril_cbt-inject-exploit - CVE-2023-44452, CVE-2023-51698: CBT File Parsing Argument Injection that affected Popular Linux Distros.
  • Awaiting the Awaitables - Building the AwaitFuscator. I doubt this is practical for programs of any complexity, but it's got to be one of the most bizarre obfuscators since the movfuscator. Code here.
  • proxy-helper-the-sequel - Port/rework of proxy-helper plugin for hak5 Pineapples.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • How to protect Evilginx using Cloudflare and HTML Obfuscation - Some solid OPSEC tips on protecting your RTA infrastructure.
  • Realm - Realm is a cross platform Red Team engagement platform with a focus on automation and reliability. This was in the LWiS 2023-10-24, but the ShmooCon talk is what bubbled it back up for me and made me really look into it. The docs look great and I plan to play with this one very soon.
  • GHunt - Recently got an update (OAuth based instead of cookies). Check it out!
  • ADCSync - Use ESC1 to perform a makeshift DCSync and dump hashes.
  • RemoteRegSave - A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.